Poor admin security settings for user groups?

[Freddy +]

Hiya,

I have created a 2nd admin user account with reduced access settings using the "Administration Capabilities" section.

Logging in with this account you can go into edit user and bump yourself up to all areas and worse still you can remove access for the main admin account. I assume you can also delete it (I don't want to test this).

I must be doing something wrong?

I need reduced admin levels so that others can login and do some editing (including user settings) but not bump themselves or remove me!

I tried creating a new user group called 'mod' but the "Administration Capabilities" select isn't present for any group other than admin.

Plus when I drop the test user account from admin to 'mod' level and try to login with that account it says the user isn't registered when I try a password recovery.

Many thanks

[Lhotch +]

Freddy,

We need to know what version of the script you are using.

[Freddy +]

Apologises Larry.

v4.1.0 RC3 Designer

Thanks,
Fred

[Lhotch +]

Quote:

Originally Posted by Freddy

Apologises Larry.

v4.1.0 RC3 Designer

Thanks,
Fred

Thats actually a BETA product and not even the most current one. What I recommend in situations like this is that you upgrade to the latest release candidate and if you still notice this problem click on the support link menu above the forum and chose "bug tracker". Then fill in the displayed form to get the issues reported to the developers so it can be looked into.

[Freddy +]

Ah I see. Only purchased a few days ago.

Before I reported as a bug I wanted to see if I was doing something wrong

Didn't realise it was beta. I will install the latest non beta and try again.

Many thanks,
Fred

[Eric Barnes]

Actually that is the way it was designed. The admin capabilities restricts access to certain pages in admin. It doesn't have a check to prevent them from editing their own capabilities if they have access to edit users.

That is a good idea though and I think that could be a very useful setting.

[Freddy +]

Quote:

Originally Posted by Eric Barnes

Actually that is the way it was designed. The admin capabilities restricts access to certain pages in admin. It doesn't have a check to prevent them from editing their own capabilities if they have access to edit users.

That is a good idea though and I think that could be a very useful setting.

Thanks Eric for reply.

Surprised I'm the first to bring this up in all honesty. Fairly standard requirement for delegating back end tasks with minimal access.

That said I am loving the script

Fast support too!

Cheers,
Fred

[Eric Barnes]

Thanks Fred. You know you are the first to mention this and it makes perfect sense. I would think just adding another checkbox will suffice in that section.

[Eric Barnes]

Just added this to the tracker: http://www.68classifieds.com/forums/issue-258/

[Freddy +]

Quote:

Originally Posted by Eric Barnes

Just added this to the tracker: http://www.68classifieds.com/forums/issue-258/

Thank you Sir.